Let’s specifically address comment spam here for a moment, since that’s the topic du jour.
Phil Ringnalda presents another view on TypeKey. I tried to avoid any one solution in yammering about spamming the other day, but TypeKey clearly was on my mind. Phil brings up a point that’s so painfully obvious that I feel stupid for not thinking of it before now:
I want the first class to post whatever they want, whenever they want, with any HTML they want. I want the second class to post, but I might not want to let them use HTML, or link from their name, until I’ve looked at what they have to say, and if their noise got to be too much I might even want to hide them like a Slashdot comment below the normal browsing level, so that they were visible, but only with an effort. The third class? They can find their own place to talk, there’s plenty of places other than here.
There I was, thinking about the privileges to even post, when I should have been thinking about privileges to post different things.
Now, Phil was talking about a variety of levels, but say I have a good friend who posts horribly malformed HTML in their comments. [I don’t know that I have a friend like that; this is abjectly hypothetical, not passive/aggressively ignoring the elephant in the room.] I would, eventually, remove their ability to post HTML. Why? It’s not worth my time to go and fix their bad markup in their comments, and their bad markup fouls my page.
Wholly untrusted users wouldn’t get to post anything, and while they could submit an URL with their comment-authoring information, it wouldn’t get presented to the user until I’d figured that it was okay.
With a solution like this—one that doesn’t allow links from unknown users—the comment spamming problem largely goes away. If comment spammers can’t post HTML, they have to build my trust before abusing it.
Again, that’s a potential situation, and it is a case where I would probably not seek to rely on a centralized authentication system. I still think that shared whitelists is the way to go.
Stepping over into the WordPress world for a moment, I want to invite the developers to consider reforming the user-registration system. Currently, there are 11 levels of users in WordPress, and only a couple of them matter. A user with a level of 1 can currently post new entries to the database; a user with a level of 5 or greater is generally considered an administrator. A user with a level >N can edit level N posts; the default admin account is given a 10, and there can only be one level 10 account.
Realistically, though, you only need two or three gradations of postability levels: admin [top dog], editor [middle dog], writer [sniffin’ butts]. If you set these levels at 10, 9, and 8, you still have a user system with eight remaining levels [0-7]. That’s probably more gradation than any of us needs—shoot, Slashdot does 0-5, and that works for them—but it’s enough to allow the start of a great commenting system to be glommed onto an in-place database.